On May 26, 2021, the first personal data protection law came into force in Ecuador. With this, Ecuador begins a decisive journey of changes that will profoundly mark its future in a digital society and economy, where the protection of personal data is a matter of increasing relevance.
This new beginning can turn into a story of progress or a true nightmare that ends up stagnating the country in a paper scheme that does not really fulfil its function. To avoid this, it is necessary to face these 3 key challenges:
1. Correct the errors of the law.
The Ecuadorian data protection law was not built from scratch but took as a model the GDPR. Its general quality is not bad altough it is not exempt from problematic points both in substance and in form.
- The substance problems for a practical approach, at least for the moment, are not highly relevant. Consider them will be important from a theoretical point of view in the academy. One of these problematic points, for example, is whether it is really coherent to recognize the right to digital education (proper right of the digital society) in a law whose specific object clearly stated in article 1 is exclusively "to guarantee the exercise of the right to personal data protection”and not other rights in general. The convenience of not recognizing the right to be forgotten is also a relevant issue.
- The formal problems are a challenge that is more relevant at a practical level. In the Ecuadorian case, the political instrumentalization of the norm led the legislator to discuss the law in a hurry (in a single day along with five other laws) in the last days of his mandate after considerable time of inactivity. Finally, the law was approved by the President of the Republic, without objections, despite the fact that the normative text contained important errors.
These formal errors are not simple ambiguities but much more considerable issues such as incomplete or repetitive words and articles (arts. 4, 36, 46) wrong or discordant references to both non-existent issues (arts. 43, 44, 46, 66) and to article numbering changed in the legislative process (art. 19.4). A more extensive study in this regard is made in the work of my authorship "Designing the future: protection of personal data", pages 109-113, available in Spanish here.
These errors must be corrected as they can be the source of various difficulties. A clear example is the case of the National telecommunications corporation (in Spanish, CNT), a company that, in the face of the ransomware attack that was discovered in July of this year, had to notify the data subjects with a minimum of information that the legislator did not include despite the fact that it refers to its existence (see Articles 43 and 46 of the law).
Correcting these manifest formal errors made by the legislator will be a task of capital importance to implement in the country a solid system of personal data protection.
2. The development of regulations and the culture of compliance
The law must be complemented by a regulation issued by the executive power that develops some stipulations. This has not happened yet. Nor has the Personal Data Protection Authority been created. These two milestones are relevant for the development of the Ecuadorian regulatory framework on the matter.
In addition, its absence -conjugated with the vacancy time that one has (2 years) to implement the standard before the corrective measures and sanctions come into effect- makes several entities consider that it is too early to start a project to implement the regulations. Several wish to wait for there to be more regulations as they consider that some points are not yet complete. For instance:
- the parameters for the implementation of personal data protection measures by default and from the design (art. 39); or,
- the parameters of the large-scale processing of special categories of personal data that requires the appointment of a personal data protection officer.
The challenge is to be able to issue the regulation as soon as possible and appoint the Control Authority; in addition to seeking to encourage public and private entities not to wait too long to implement the regulatory changes required by law. The latter because although there are points that must be developed, it is perfectly possible to start implementing it now.
3. Independent authority and not politically instrumentalized.
Historically, the political instrumentalization of state entities and state companies, in addition to cases of corruption:
- has given highly relevant positions to low-skilled people who have ended up being awful managers.
- has turned some control entities into a tool to persecute political opponents or certain groups.
Although the latter seems to be less likely in the government of the current president Guillermo Lasso, it is still important to point out that the personal data protection authority will have to overcome the obsolete perspective of being exclusively an entity of "administrative police" eager to prosecute and punish , to become a facilitator of the fulfilment of obligations and promoter of rights. This change in attitude is key to building a culture of personal data protection in the country.
These are the main challenges that Ecuador faces to turn this new beginning into a story of progress and avoid the nightmare of having a dysfunctional personal data protection system in the midst of the 4.0 revolution. We are in time to make history.
Article provided by: Pablo Arteaga (M. Bodero & Asociados, Ecuador)
Dr. Tobias Höllwarth (Managing Director INPLP)